# Offensive passwords?



## Ether's Bane (Mar 1, 2013)

First off, trigger warning for potential problematic content that may arise throughout this thread.

Okay, now that that's out of the way:

Are there any sanctions imposed against offensive passwords? (I'm assuming Butterfree can see all our passwords.) I was thinking of changing my password to a fairly offensive term (not because I have such sentiments, but because it's easy to remember), but I wasn't sure about the ruling on this, so I've asked.


----------



## ultraviolet (Mar 1, 2013)

well... nobody would see them except you anyway. I'm pretty sure passwords are encrypted and nobody can see them - you can't in Mod CP, anyway.


----------



## Negrek (Mar 1, 2013)

Yeah, passwords aren't even stored as plaintext. (Thankfully.)


----------



## Butterfree (Mar 1, 2013)

To elaborate a bit, what is actually stored in the database when you've provided a password is not the actual password you typed, but a _hash_ - a long string of gibberish produced by running a particular type of mathematical function on the password. When you type in your password to log in, what happens is that the forum runs what you typed in through the same function (_hashes_ it) and checks that the resulting gibberish matches the gibberish that it has in the database. Because that's how functions work, the same password will always result in the same hash when you've run the function on it - however, there is no function that can reverse the hash function and turn the hash back into the original password. This means that even though I could look up the hash of your password in the database, I could not find out your actual password, unless I were to "brute-force" it by trying every possible password until I get the right hash. (It's a little more complicated than that, because of "salting", but there's no need to go into that.)

Storing passwords in plaintext is horrifically dangerous, especially because people reuse the same password on many different sites all the time - even if you trust the administrator of the site completely to not hijack any of your accounts, if hackers manage to get into the database, they'll be able to see the passwords and take over your accounts in many different places.

So, long story short, no human being ever has access to your actual password, so it doesn't matter if it's offensive, a plot to overthrow my adminship, or whatever. Just make it strong.


----------

